Some 57% of CIO/CISOs surveyed by the consultancy firm EY have experienced a recent significant cybersecurity incident, proving that more work is needed to strengthen the corporate shield.
Careless or unaware employees (55%), unauthorized access (54%) and outdated information security controls or architecture (48%) are the vulnerabilities that most increased risk exposure over the last 12 months, IT decision makers say. The main rising threats in 2016 are malware (52%), phishing (51%) cyber attacks to steal financial information (45%), cyber attacks to steal IP or data (42%), and internal attacks (33%).
The number of respondents who say their budgets increased over the past 12 months rose to 53% of respondents this year, from 43% in 2013. The number who say their budgets will rise over the next 12 months rose to 55% from 50% at the same time. However, organizations say more funding is needed, with 61% citing budget constraints as a challenge and 69% of respondents saying they need up to a 50% bigger budget.
Among the respondents, 75% say those responsible for information security have no seat on the board. Moreover, 89% of organizations do not evaluate the financial impact of every significant breach and, of those that have had a cyber incident in the last year, 49% have no idea what the financial damage could be.
Of the organizations surveyed, 62% would not increase their cybersecurity spending after experiencing a breach which did not appear to do any harm.
“In most cases, there is harm being done, but there was no immediate evidence found to support that,” authors of the study say. “Cyber criminals often make test attacks, lie dormant after a breach, or use a breach as a diversionary tactic to throw organizations off the trail of what they are really up to. Organizations should assume that harm has been done every time there is an attack, and if they have not found it, they should consider that they have not found it yet.”
Sixty eight percent of respondents would not increase their information security spending even if a supplier was attacked — even though a supplier gives and attacker a direct route into the organization, while 58% would not increase their spending if a major competitor was attacked — although cyber criminals like to attack organizations that are similar in infrastructure and operating frameworks, and they carry forward the learnings from one successful attack to the next.
The research was conducted between June and August 2016 and captures the responses of 1,735 C-suite leaders and Information Security and IT executives/managers, representing the largest global companies.